IT security news on the latest technology and the number one resource for your hardware and software needs.
Visit us at www.hyphenet.com

Friday, April 12, 2013

Check Your WordPress Plugins: Social Media Widget Found to be Injecting
Spam into Websites

WordPress website masters are being advised to update (or remove) the Social Media Widget plugin following the discovery that it was being misused to inject spam into websites it was installed on.

According to Sucuri Security, the malicious code that calls the URL, hxxp://i.aaur.net/i.php to inject “Pay Day Loan” spam links on the affected website was added to version 4.0 of the plugin, which was launched about 2 weeks ago.

A thread on plugin’s support forums reveals that the compromise was a result of the owner trusting the wrong developer.

The Social Media Widget plugin was removed from the WordPress Plugin repository after it was found to have been tampered with, but has since been reinstated following removal of the bad code in version 4.0.1.

However, the plugin is quite popular, and there’s no telling how many of the 900k websites it had already been installed upon were still at risk.

If you have the Social Media Widget plugin installed on your WordPress website, it is strongly advised that you: